‘Microsoft Windows Heap Based Overflow Exploiting’

Summary

Presented in this article are several documents discussing Heap based exploitation in Microsoft Windows. The documents present the challenges in heap exploitation and ways to create exploitation more stable.’

Credit:

‘The original article can be found at: http://www.cybertech.net/~sh0ksh0k/heap/


Details

‘Matt Conover & Oded Horovitz released several documents explaining heap based overflow exploitation in the Microsoft Windows platforms.

Heap Based Overflow Exploitation Before Windows XP Service Pack2:
Introduction:
Heap vulnerabilities become mainstream DCOM (seems to be the inflection point), Messenger, MSMQ, Script Engine.
Even experts use some voodoo magic as main ingredient of exploits:
 * Making a 4-byte overwrite (discussed more later) is a guess work
 * Failures are not well understood
 * Available exploits are service pack dependent
 * Shellcode address is not known,
 * SEH address varies between service packs
 * During exception handling, pointer to buffer can be found on the stack (in exception record)
 * Address of instruction that access the stack is needed, which is SP dependent

Findings:
 * Found several techniques at each stage of a heap overflow that greatly improve reliability
 * Much greater understanding of the Windows heap internals and its processes.
 * Determined why existing techniques are unreliable
 * XP SP2 will greatly improve protection and stop all currently used techniques

The full presentation can be found at: http://www.cybertech.net/~sh0ksh0k/heap/CSW04 – Reliable Windows Heap Exploits.ppt
Source code accompanying the presentation can be found at: http://www.cybertech.net/~sh0ksh0k/heap/pre_xpsp2.zip

Heap Based Overflow Exploitation After Windows XP Service Pack2:
Agenda:
 * Practical Windows heap internals
 * How to exploit Win2K WinXP SP1 heap overflows
 * Assessment of WinXP SP2 improvements
 * How to exploit WinXP SP2 heap overflows

The full presentation can be found at: http://www.cybertech.net/~sh0ksh0k/heap/XPSP2 Heap Exploitation.ppt
Source code accompanying the presentation can be found at: http://www.cybertech.net/~sh0ksh0k/heap/xpsp2.zip

Commented Example:
A fully documented example on exploiting a heap overflow can be found at: http://www.cybertech.net/~sh0ksh0k/heap.txt
It was originally written for the CanSecWest 2004 presentation. The code will work unchanged on Win2K SP0-SP4 and WinXP SP0-SP1.’

Categories: Reviews